31st January Weekly Podcast: Facebook VPN, FaceTime bug, and Internet Explorer 10

In this week’s podcast we discuss Facebook’s VPN, an Apple FaceTime bug being discovered and the end of Internet Explorer 10

Hello and welcome to the IT Governance podcast for Thursday, 31st January 2019. Neil is unfortunately off sick today, so I will be doing my best to fill in.

Here are this week’s stories.

Facebook feature in the news yet again, this time for ‘secretly’ paying teens and young adults $20 per month to install a VPN on their phones, allowing the company to essentially track the users entire phone and web activity.  This comes after Apple previously banned Facebook’s Onavo Protect app, back in June, for its requirement to have root access to network traffic, allowing Facebook to decrypt and analyse users phone activity. According to TechCrunch, “Facebook even asked users to screenshot their Amazon order history page”.

Will Strafach, Guardian Mobile Firewall’s security expert, said: “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”

By installing the ‘Root Certificate’ as the app states, users are allowing facebook continuous access to their most sensitive data. Strafach noted: “…most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”

It will be interesting to see how this develops, as it raises the question of just how explicit a user’s consent must be, and what level of understanding a company is reasonably allowed to assume of its users. In this case the users gave consent to the app, but did they really understand what they were consenting to?

You may have already heard about the FaceTime bug that enabled users to force other iPhones to answer, even without any action from the receiving party. This was achieved by calling a number, swiping up and then adding another contact to the call. Whilst this would undoubtedly raise security concerns for many, the bug would have been of little interest to criminals even if it was known, as it would require one-to-one phone contact in real-time with the victim and hope that they would incidentally reveal any useful information before discovering what is going on. Perhaps the larger concern in this story is how it was (or nearly wasn’t) reported.

The bug was reportedly discovered by a teenage boy, whilst trying to contact his friends to play ‘Fortnite’. The boy then showed his mother what he had discovered. Suitably shocked, the mother began what would be an arduous journey to inform Apple of the bug. After being passed around by various employees and departments at Apple, filing a bug report and even registering as a developer to highlight the bug, she turned to twitter to mention the issue announcing she had video evidence of the bug. The story was eventually picked up by multiple news outlets starting with ‘9to5Mac’.

Apple has since disabled the feature and is said to be rolling out a patch soon.

Whilst Apple probably get a lot of false positives, they clearly need a better system in place whereby genuine bug reports can get through to the right people in a timely fashion. Those who discover bugs should not need to report them publicly for Apple to notice. Apple run a ‘bug bounty’ program where pay-outs can range from $25,000 to $200,000. Although in this case, there has been no pay-out as far as we are aware.

Microsoft has announced that Internet Explorer 10 will be meeting its certain demise in 2020, alongside the OS Windows 7. Back in 2016 Microsoft shifted it’s focus to its Edge browser, in an effort to better meet the requirements of modern web browsing, but limited Edge to Windows 10, iOS and Android – after all, at the time not all operating systems could run IE 11.

Windows Embedded 8 Standard and Windows Server 2012 will remain supported until 2023. Microsoft are to make IE11 available for Server 2012 admins via the Microsoft Update Catalogue and Update Service. Or you could make the switch to Windows Server 2016 or 2019.

Although, I doubt many consumer users will mourn or even notice IE10’s departure.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.